And while some 59% of the attacks were on devices in the manufacturing sector, Zscaler also discovered a number of unexpected home or personal devices connecting to the cloud, including smart refrigerators and musical lamps that were still sending traffic through corporate networks. Other devices affected include digital home assistants, media players, set-top boxes, smart glasses, smart TVs, DVRs and smart watches.
Each IoT device that connects to a corporate network has the potential to serve as a gateway to other connected devices and sensitive corporate information,” explained Viral Gandhi, senior security researcher, mobile and IoT at Zscaler.
“Combating this problem requires a combination of visibility, architecture, and policy enforcement,” Gandhi said. “IT teams need visibility into the unsanctioned devices in their environment and should inspect all encrypted and unencrypted traffic going to the internet. They should use least-privilege access policies to stop unsanctioned devices from connecting to anything inbound and to allow corporate devices to connect only to what they need. Utilizing zero trust is the only way to ensure that these devices don’t leave them vulnerable to data exposure.”
With today’s cloud and SaaS platforms, the corporate network has no longer become the only way to access data, said Brendan O’Connor, co-founder and CEO of AppOmni. O’Connor said data gets frequently accessed through third-party apps, IoT devices in the home, and portals created for external users like customers, partners, contractors and MSPs.
“Access through these channels often completely bypasses the corporate network, instead relying on OAuth tokens or other types of verification,” O’Connor said.
“We find that while companies are eager to use these access points to increase the functionality of their cloud and SaaS systems, they often neglect to secure and monitor them in the same way they’ve secured access from their corporate network, leading to major access vulnerabilities that may be completely unknown to the company,” O’Connor said.
Stefano De Blasi, cyber threat intelligence analyst at Digital Shadows, added that connecting IoT devices to our private corporate networks expands the attack surface and potentially exposes sensitive data such as medical records, personally identifiable information, and workplace plans.
“One of the main problems with IoT security at the present is that the rush to market often de-prioritizes security measures that need to be built into our devices,” De Blasi said. “This issue has made many IoT devices low-hanging fruits for criminals interested in stealing sensitive data and accessing exposed networks. Additionally, criminals can exploit vulnerable products, by leveraging their computing power, and orchestrate massive IoT botnet campaigns to disrupt traffic on targeted services and to spread malware.”